Fixes a security hole that did allow a third party website to reuse a valid

Fixes a security hole that did allow a third party website to reuse a valid
(challenge, response) pair. This pair, obtainable externally from an approved
groupex website, enabled it to discover personal information from Xs with a
permanent/valid cookie on Xorg.

The fix forces return url to match a defined regexp; backward compatibility is
retained, though the hole won't be fixed until all entries in groupex_auth are
added a non-empty return url regexp.

Signed-off-by: Vincent Zanotti <vincent.zanotti@polytechnique.org>